NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/49692: impossibly large mmap does not fail
>Number: 49692
>Category: kern
>Synopsis: impossibly large mmap does not fail
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Feb 24 13:55:00 +0000 2015
>Originator: Justin Cormack
>Release: 6.1.5 also 7.0 beta
>Organization:
>Environment:
NetBSD netbsd64-615.myriabit.eu 6.1.5 NetBSD 6.1.5 (XEN3_DOMU) amd64
NetBSD rhombus.myriabit.eu 7.0_BETA NetBSD 7.0_BETA (GENERIC.201409131930Z) amd64
>Description:
Calling mmap with an extremely long length does not fail, but returns a real address:
>How-To-Repeat:
#include <sys/mman.h>
int main()
{
void *mem = mmap(0, (size_t)-1, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0);
return (mem == MAP_FAILED);
}
kdump:
17781 1 ktrace EMUL "netbsd"
17781 1 ktrace RET ktrace 0
17781 1 ktrace CALL execve(0x7f7ffffffdff,0x7f7fffffdc48,0x7f7fffffdc58)
17781 1 ktrace NAMI "/tmp/mm"
17781 1 mm EMUL "netbsd"
17781 1 mm RET execve JUSTRETURN
17781 1 mm CALL __sysctl(0x41f8a0,2,0x62aae0,0x7f7fffffdbf8,0,0)
17781 1 mm RET __sysctl 0
17781 1 mm CALL mmap(0,0x18,3,0x1000,0xffffffff,0,0)
17781 1 mm RET mmap 140187598319616/0x7f7ff7fff000
17781 1 mm CALL _lwp_setprivate(0x7f7ff7fff000)
17781 1 mm RET _lwp_setprivate 0
17781 1 mm CALL mmap(0,0xffffffffffffffff,3,0x1002,0xffffffff,0,0)
17781 1 mm RET mmap 140187598323712/0x7f7ff8000000
17781 1 mm CALL exit(0)
This should fail with ENOMEM but it returned a valid address.
>Fix:
Havent looked but guessing it is an overflow.
Home |
Main Index |
Thread Index |
Old Index